[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Bob McConnell rmcconne at lightlink.com
Tue Dec 7 15:29:58 UTC 2010


Adam Tauno Williams wrote:
> On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: 
>>> IPv6 is not broken by design. NAT was implemented to extend the time
>>> until IPv4 exhaustion. A side effect was hiding the internal IPv4
>>> address, which complicates a number of protocols like FTP and SIP. The
>>> only downside I see is ISPs could try and charge based on the number
>>> of IPv6 addresses being used.
>> No, the downside is that each address used will be exposed to the world.
> 
> False.  That is *NOT* a downside.
> 
> NAT is *NOT* a magic sauce - install a firewall [which you probably
> already have].  Problem solved.
> 
>> I consider that a serious security flaw. 
> 
> It is not.
> 
>> Having my ISP know how many 
>> computers I have is a minor issue covered by the contract I have with 
>> them. 
> 
> So you want to cheap on the legal contract you agreed to?

No, if they want too much money before I can install additional 
computers, I have several other choices, some of which will likely be 
less expensive. Currently, their TOS is not an issue.

>> But having all of those addresses exposed to Russian mobsters, 
>> terrorists, crackers and everyone else that knows how to capture packets 
>> is another matter altogether. If IPv6 exposes that information to the 
>> world, it is definitely unsafe to use.
> 
> The "Russian mobsters" can already do that; if you think NAT is
> protecting you from that then you are mistaken.

NAT hides the IP addresses of the computers inside my firewall. The only 
address exposed is the temporary address assigned to the firewall 
itself. That box can be run on the most secure OS I can find (currently 
one of the BSD's), and allows me to operate other systems behind it that 
aren't as well protected. This makes it significantly more difficult for 
those mobsters to penetrate my network.

Not allowing the most popular OS on the network at all is another layer 
of protection. Keeping everything up to date is another. It is a well 
known and established process to keep my computers secure. But now you 
are taking away one of those layers without providing anything of equal 
strength to replace it. I fail to see how that is an improvement. 
However, it appears some of you are actually evangelists in disguise, 
and refuse to acknowledge any real concerns about this change. So it 
becomes pointless to continue the discussion.

Bob McConnell
N2SPP



More information about the CentOS mailing list